ClawHub

Update Plus

Security checks across malware telemetry and agentic risk

Overview

This looks like a real backup/update tool, but it needs review because it can change installed agent code, run unattended updates, and restore or delete local files in risky ways.

Install only after verifying the GitHub source or pinning a reviewed commit, and be aware the packaged entrypoint is missing from this artifact. Use check or --dry-run before updates, keep backups encrypted before enabling cloud sync, do not use untrusted update-plus.json files, review restore targets carefully, and enable cron only if unattended updates are acceptable.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Rogue AgentSelf-Modification, Session Persistence
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
88% confidence
Finding
The skill advertises shell-capable operations such as cloning repositories, editing shell startup files, and managing backups/updates, but does not declare any permissions. This creates a transparency and trust problem: users and policy engines cannot accurately assess that the skill can execute system commands and modify the local environment.

Tp4

High
Category
MCP Tool Poisoning
Confidence
93% confidence
Finding
The documented purpose focuses on backup/update/restore, but the described behavior extends to cron installation, outbound notifications, cloud upload via rclone, backup comparison, and log cleanup. These extra capabilities increase privilege, persistence, data egress, and system modification risk beyond what a user would reasonably expect from the summary.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises cloud sync and notifications without clearly warning that backups, metadata, or contact information may be transmitted to external services. Because backups can contain sensitive configuration and workspace data, users need explicit notice before enabling any feature that may send data off-host.

Missing User Warnings

Medium
Confidence
90% confidence
Finding
The skill advertises cloud sync and notifications without clearly warning that backups, metadata, or contact information may be transmitted to external services. Because backups can contain sensitive configuration and workspace data, users need explicit notice before enabling any feature that may send data off-host.

Missing User Warnings

Medium
Confidence
79% confidence
Finding
The function unconditionally calls upload_to_remote after backup creation, and the call site provides no explicit user-facing notice that archive contents may be transmitted off-host when REMOTE_STORAGE_ENABLED is true. Because backups can contain sensitive config, workspace, and skill data, silent or poorly disclosed exfiltration to remote storage increases confidentiality risk.

Missing User Warnings

Medium
Confidence
81% confidence
Finding
The backup workflow automatically triggers cleanup of old backups immediately after creation, including remote deletion later in clean_old_backups, without any visible warning at the call site about destructive retention behavior. This can cause unintended data loss if retention settings are misconfigured or the user did not realize old local or remote backups would be removed automatically.

Session Persistence

Medium
Category
Rogue Agent
Content
### Add to PATH

```bash
mkdir -p ~/bin
echo 'export PATH="$HOME/bin:$PATH"' >> ~/.zshrc
source ~/.zshrc
ln -sf ~/.openclaw/skills/update-plus/bin/update-plus ~/bin/update-plus
Confidence
81% confidence
Finding
mkdir -p ~/bin echo 'export PATH="$HOME/bin:$PATH"' >> ~/.zshrc source ~/.zshrc ln -sf ~/.openclaw/skills/update-plus/bin/update-plus ~/bin/update-plus ``` ## Configuration Create `~/.openclaw/updat

Self-Modification

High
Category
Rogue Agent
Content
# Update all skills
update_skills() {
  if [[ "$DRY_RUN" == true ]]; then
    log_dry_run "Would update skills"
    log_info "Checking for skill updates..."
    update_git_skills
    return 0
Confidence
93% confidence
Finding
update skill

Self-Modification

High
Category
Rogue Agent
Content
update_git_skills
}

# Update skills via git pull
update_git_skills() {
  local skills_dirs_json=$(get_skills_dirs)
Confidence
96% confidence
Finding
Update skill

VirusTotal

66/66 vendors flagged this skill as clean.

View on VirusTotal